DevSecOps Masterclass: AppSec Automation Edition

DevOps has changed the way we deliver apps. However, security remains a serious bottleneck, especially Application Security. This is largely due to the speed of innovation in DevOps, contrasted with the escalating attacks against Applications.

This training takes a comprehensive, focused, and practical approach to implementing DevSecOps Practices with a focus on Application Security Automation. The training is based on our 4.9/5 Rated DevSecOps Masterclass at Blackhat.

We conducted this training last year at Black Hat Asia 2024 with an awesome response.

The training is a hardcore hands-on journey into: Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a base!

Supply-Chain Security Automation: SBOMs, Source Composition Analysis, and Security Engineering techniques Assurance and Provenance for artifacts. Mastery over Cosign and SLSA for Supply-Chain Provenance DAST Automation and Security Regressions with ZAP and Nuclei. Policy-As-Code: Leverage Open Policy Agent (OPA) with use-cases from API Access Control to OS Policy Controls.

Participants get 2-month access to our online lab environment for DevSecOps training

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.

The Training starts with a view of DevSecOps, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.

In this edition, we’re completely rebuilding our existing DevSecOps content to reflect the very bleeding edge of Application Security Automation and DevSecOps Approaches. These include, but not limited to: Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse! Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques. This segment will additionally have several approaches to building secure base images for containers Supply-Chain Assurance and Provenance for artifacts. Supply-Chain Security attacks are largely caused by lack of assurance and poor provenance of software supply-chain artifacts. We’ll be diving into the SLSA (Supply-Chain Levels for Software Artifacts) Standard and how automation can help achieve levels of compliance. In addition we’ll be diving into Cosign from Project sigstore. This can be used to generate keyed/keyless signatures for container images and other build artifacts including packages and SBOMs. Secret Management - This segment of the class will dive into Secrets Management and Encryption tools like Hashicorp Vault. This will have examples of advanced implementations for Encryption, Key Management and Dynamic Secrets DAST Automation with OWASP ZAP and Nuclei. We’ll be exploring API based scanning with OWASP ZAP and Test Automation Frameworks. In addition, we’ll explore using and building custom DAST automation with Nuclei. This will not only aid in integrating DAST into Automation Pipelines, but also be used for Security Regressions for more complex vulnerabilities Policy-As-Code with Open Policy-Agent (OPA). OPA is a powerful framework that can be used to create and enforce policies across a variety of deployment environments. From being used to perform Access Control and Input Validation in API Gateways, to be used in Container Registries and Operating Systems for deploying and enforcing security policies. You’ll learn OPA’s Domain Specific Language, rego in order to understand policy-as-code frameworks. Integrating Security Automation with CI/CD tooling. Here we’ll be exploring integrating Security Automation with CI/CD tools including Github Actions, Gitlab and Jenkins. In addition, we’ll be leveraging Data Flow Automation tools like Robot Framework, Gaia and Prefect to provide alternatives to typical CI/CD tools for AppSec Automation.

Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning

Detailed Outline

Day 1

The Problem with the old models of Application Delivery
- A Quick History of Agile and DevOps
- The Coming of DevOps
- The Need for Security in DevOps
- Security in Continuous Integration and Continuous Deployment
Introduction to Static Application Security Testing (SAST) for Continuous Integration
- Static Analysis Types
  - Hands-on:
    - RegEx Tools
    - Abstract Syntax Trees
    - QL/Semantic Grep Tools => CodeQL and Semgrep
  - Semgrep Deep-Dive
    - Rules Syntax
    - Taint Analysis
    - Metavariables, Metafunctions and MetaClasses
    - Semgrep against multiple languages:
      - Python
      - JavaScript
      - Go(lang)
      - Java
      - Ruby
  - CodeQL Deep-Dive
    - Rule Syntax
    - CodeQL VSCode Composition Tools
    - CodeQL for multiple languages:
      - C#
      - Python
      - Java
      - JavaScript
- Challenge Segment - Finding Bugs with Semgrep and CodeQL
- Static Analysis Automation Strategies
  - Hands-on:
    - Automation in IDE
    - Automation - Part of Git hooks
    - Automation - PR and MR Static Analysis Tooling (Github Actions, etc)
    - Automation - Build Pipeline and Pre-Deployment
- Static Analysis for Infrastructure-as-Code
  - Hands-on:
    - Kube-Linter
    - Checkov
    - Integrating Infrastructure-as-Code Scanning with Github Actions and Deploy pipelines
- Static Analysis in CI and CD pipelines
  - Hands-on:
    - Github Actions
    - Gitlab Dev
    - Jenkins
Source Composition Analysis and Software Bill of Materials in DevSecOps
- Concept Overview:
  - Artifact Lifecycle
  - SBOM
  - Package Provenance
  - SLSA - Supply-Chain Levels for Software Artifacts
  - Source Composition Analysis
- Package Provenance and Assurance Deep-Dive
  - Cosign Deep-Dive - Keyed and Keyless
  - SLSA Provenance Generator for Github Actions and Levels
- SBOM Deep-dive:
  - Hands-on:
    - CycloneDX
    - SPDX, SWID
- SCA Deep-dive and Automation Strategies:
  - Hands-on:
    - Incremental SCA with Github Actions => Pull Requests and Merge Requests
    - Package Manager integrated SCA with NPM, Poetry, Dependabot
    - OWASP Dependency Track and Dependency Check

Day 2

Dynamic Application Security Testing with Continuous Integration
Concepts of DAST with Security Testing
- Security Automation Testing using OWASP ZAP, Selenium, OpenAPI (Swagger)
- Security Regression Tests - How to design and write them
Nuclei Deep-Dive
- Hands-on:
  - Nuclei Templates
  - Integrating Nuclei into Pipelines
  - Using Nuclei for Security Regression
Application Security Automation and Test Orchestration – Deep-Dive:
- Hands-on:
  - OWASP ZAP Deep-Dive
    - Scan Policy
    - Extensions
  - OWASP ZAP API Deep-Dive
    - Leveraging OWASP ZAP API with Selenium for testing browser-based applications
    - Leveraging OWASP ZAP API and (Tavern/RESTInstance/Chai) to test web services and microservices
    - OWASP ZAP API Testing with OpenAPI Specification
  - OWASP ZAP Scripting Workshop
    - Create Active Scan Scripts for Custom Application Vulnerabilities
Policy-as-code with Open Policy Agent
- Open Policy Agent Basics and Framework Overview
- Hands-on: Rego Basics - Language essentials and composition rules
- Hands-on:
  - Using OPA and Rego for API RBAC and AuthZ Implementation with API Gateways
  - Using OPA for Advanced Input Validation for APIs
  - Using OPA for Terraform Policy Definition and Enforcement
Secrets Management
- Intro to Secrets Management - A Case for a structured approach to managing secrets
- Secrets vs Sensitive Information - A Distinction and varied Threat Model
- Secret Management Fails:
  - Secret Management in GitOps fails
  - Real-world incidents that were caused extensively by bad secrets management
Secrets Management with Hashicorp Vault (Hands-on):
- Introduction to HashiCorp Vault and its API
- Deploying Vault in Prod
- Managing Secrets with Vault => Static Secrets
- Encryption, Key Rotation and Rewrapping with Vault Transit Secrets Engine
- Dynamic Secrets with Vault => Using Dynamic Secrets for short-term leases for databases
Pipelines and Tooling
- Overview of Tooling:
  - Github Actions
  - Gitlab
  - Jenkins
  - Data Flow Automation Tools: Prefect, Gaia, Apache Airflow
- Hands-on:
  - DevSecOps Pipelines with Github Actions
  - DevSecOps Pipelines with Gitlab
  - DevSecOps with Jenkins
  - DevSecOps with Gaia and Prefect

About the Speaker

Vishnu Prasad

Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies.

Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins, Selenium, Docker, and other DevOps tools. His role sees him automating SAST, DAST, and SCA security tools at every phase of the build pipeline. He commands knowledge of every major security tool out there, including ZAP, Burp, Findsecbugs, and npm audit, among many others. He’s a tireless innovator, having Dockerized his entire security automation process for cross-platform support to build pipelines seamlessly.

His experience extends even beyond DevSecOps: he designs and develops Web Application Security tools, performs vulnerability management and orchestration, and consults on security assessments for major companies. He’s proficient in languages like Python, Java, Javascript, Angular, and more. He regularly trains major companies and team members on application security automation, DevSecOps, and AppSec Essentials as well.

With over eight years of experience in delivering training sessions, He is an AppSecEngineer Certified DevSecOps Trainer specializing in instructing developers, security teams, and DevSecOps professionals on various DevSecOps topics since 2017. His expertise extends to being a recognized trainer at Black Hat events, the world’s largest Information Security conference, since 2021.